HCCA CHC CERTIFIED IN HEALTHCARE
COMPLIANCE EXAM QUESTIONS AND
VERIFIED ANSWERS | REAL 2025/2026
SCENARIOS, MULTIPLE CHOICE
QUESTIONS & ANSWER KEY INCLUDED
When should Code of Conduct be distributed to new employees?
Must be distributed within 90 days of hire
RAT-STATS is: (select all that apply)
a. statistical software to select randomized samples
b. government statistical rule software developed in the 1970s
c. free hospital statistical software
d. recommended by OIG, CMS and other agencies to select random samples
a. b. d.
The software can be used by other entities other than hospitals, so option "c." is not precisely
accurate, but it is free to use and can be downloaded here: https://oig.hhs.gov/compliance/rat-
stats/index.asp
What is the term called for an organization's commitment to compliance by management,
employees, and contractors. Statement should summarize ethical behavior and legal principles
under which the healthcare organization operates?
Code of Conduct
In the course of an audit, you find that disciplinary actions against certain physicians and high
level executives for non-compliance in the organization have been unfair and inconsistent with
current policies & procedures. What is your first course of action
.a. Work with legal counsel to enforce proper disciplinary actions
b. Get HR involved and recommend the use of progressive discipline policies
c. Immediately terminate these individuals
d. Get local and federal labor department involved for unfair discipline.
b. Get HR involved and recommend the use of progressive discipline policies
OIG recommends setting forth the degrees of disciplinary actions. Progressive discipline
,provides a structure and a set of discipline standards for managers/supervisors to follow to ensure
discipline is fair, equitable and consistent.
Documentation
• A&M should be documented
• Findings should be shared with dept managers
• If activity is part of risk priority then compliance committee, senior leadership and board when
necessary
• OIG calls for written evaluation to be presented to CEO, governing body, committee annually
Non-retaliation in compliance - what is important to state in this policy:
For any reporting method to be effective, employees must accept that there will be no retaliation
or retribution for coming forward.
The concept of non-retaliation is fundamental to the compliance program, and a clearly stated
policy regarding non-retribution is the first step.
• anonymous reporting and,
• no retaliation or retribution for bringing forth problems/concerns
Place to start with Enforcement is:
Standards of conduct and P&Ps
For Enforcement and Disciplinary Actions, Policies should include:
1. non-compliant consequences
2. employees duty to report non-compliance
3. list parties responsible for appropriate action
4. outline of disciplinary actions or procedures
5. promise that discipline will be fair and consistent
New Employee Policy - three checks OIG recommends to do/perform:
OIG recommends: perform background checks, reference checks, and exclusion list checks
Which two main documents become tools to build compliance program?
Code of Conduct and P&Ps
You are the new Compliance Officer, hired after ABC Hospital reorganized and decided that the
General Counsel should no longer also serve in that role. Upon review of the Code of Conduct
(CoC), you find that it is written using lots of legal jargon. What action do you take:
a. Keep CoC as it is.
b. Pull a sample off the internet and insert hospital name to save time as it was most likely
written by experts.
c. Rewrite the CoC in plain and concise language tailored to the hospital so employees can use a
,general guidance.
d. Rewrite the CoC with detailed restating hospital's P&Ps, and all laws and regulations possible
so that employees can't say they were not aware of requirements.
c. Rewrite the CoC in plain and concise language tailored to the hospital so employees can use a
general guidance.
Explanation:
• CoC should be clear and concise language easy to understand, and should be tailored to specific
issues of the organization
What is the term called for an organization's commitment to compliance by the board,
management, and employees? It summarizes ethical behavior and legal principles the healthcare
organization operates.
A) Code of Conduct
B) Federal Sentencing Guidelines
C) Internal Controls
A) Code of Conduct
The U.S. Federal Sentencing Commission was organized in _____, published its initial set of
guidelines manual in _____ (known today as the US Sentencing Guidelines), and included
chapter eight of the Federal Sentencing Guidelines for Organizations in _____.
a. 1980, 1987, 1999
b. 1985, 1987, 1991
c. 1980, 1985, 1987
d. 1985, 1990, 2001
b. 1985, 1987, 1991
The US Sentencing Guidelines (USSG) can be found here: https://www.ussc.gov/guidelines.
Chapter 8 - Sentencing of organizations, includes Parts A-F (Part B 2.b.1 outlines the
Compliance and Ethics Program)
Expectations have evolved since 1991 when the US Sentencing Guidelines (USSG) were first
drafted highlighting the importance of an effective compliance program (and as a condition of
probation) to help detect criminal conduct (USSG chapter 8B2.1). DOJ has now set higher
expectations for organizations to not only have a designated compliance officer but a well
designed compliance program that is adequately resourced with independent authority function
to work in practice. Which of the following guidelines outlines those expectations:
a. HHS OIG - CPG (Compliance Program Guidance)
b. DOJ ECCP (Evaluation of Corporate Compliance Programs)
, c. Monaco Memo
d. HHS OIG - CIA (Corporate Integrity Agreement)
b. DOJ ECCP (Evaluation of Corporate Compliance Programs)
The ECCP and other related guidance can be downloaded here:
https://www.justice.gov/criminal/criminal-fraud/policy-materials
The most updated DOJ ECCP (Evaluation of Corporate Compliance Programs) provides
additional guidance to prosecutors. Which of the following are included in the ECCP revisions
(Sep 2024)?
a. expects company's compliance program to include safeguards to better monitor and manage
potential compliance risk regarding new technologies (e.g., A.I.)
b. expects company's to integrate these new technology related risks into broader enterprise risk
management (ERM) strategies
c. expands on post-acquisition compliance integration and use of data for compliance purposes
d. all of the above
d. all of the above
The privacy officer for a hospital has updated the Notice of Privacy Practices/NPP to reflect a
material change because the previous notice did not have a description that individuals have the
right to amend their Protected Health Information. The 3rd party review team identified that the
notice did not have the required information to let individuals know of their right to amend PHI.
What's the BEST course of action to correct deficiency?
A. Make arrangements to mail the new NPP to all patients seen within the last year at the
hospital
B. Make arrangements to have the new NPP distributed to new patients that come to the hospital
C. Post a copy of the new NPP on the hospital's internal intranet so that all employees can see the
updated version of the notice
D. Meet with legal to discuss how to best self-disclose to OCR that the hospital was in violation
of the NPP requirements and has since corrected the deficiency
B. Make arrangements to have the new NPP distributed to new patients that come to the hospital
Remember: The NPP must describe the following individual rights:
https://www.law.cornell.edu/cfr/text/45/164.520
• The right to request restrictions on uses or disclosures of PHI for treatment, payment or
healthcare operations; for use in a facility directory (if applicable); or to family members and
others involved in the patient's care; however, the provider is not required to agree to the
restriction except in the case of a disclosure to a health insurer if the individual has paid for the
care as required by
§164.522(a)(1)(vi). This is a change necessitated by the Omnibus Rule.
COMPLIANCE EXAM QUESTIONS AND
VERIFIED ANSWERS | REAL 2025/2026
SCENARIOS, MULTIPLE CHOICE
QUESTIONS & ANSWER KEY INCLUDED
When should Code of Conduct be distributed to new employees?
Must be distributed within 90 days of hire
RAT-STATS is: (select all that apply)
a. statistical software to select randomized samples
b. government statistical rule software developed in the 1970s
c. free hospital statistical software
d. recommended by OIG, CMS and other agencies to select random samples
a. b. d.
The software can be used by other entities other than hospitals, so option "c." is not precisely
accurate, but it is free to use and can be downloaded here: https://oig.hhs.gov/compliance/rat-
stats/index.asp
What is the term called for an organization's commitment to compliance by management,
employees, and contractors. Statement should summarize ethical behavior and legal principles
under which the healthcare organization operates?
Code of Conduct
In the course of an audit, you find that disciplinary actions against certain physicians and high
level executives for non-compliance in the organization have been unfair and inconsistent with
current policies & procedures. What is your first course of action
.a. Work with legal counsel to enforce proper disciplinary actions
b. Get HR involved and recommend the use of progressive discipline policies
c. Immediately terminate these individuals
d. Get local and federal labor department involved for unfair discipline.
b. Get HR involved and recommend the use of progressive discipline policies
OIG recommends setting forth the degrees of disciplinary actions. Progressive discipline
,provides a structure and a set of discipline standards for managers/supervisors to follow to ensure
discipline is fair, equitable and consistent.
Documentation
• A&M should be documented
• Findings should be shared with dept managers
• If activity is part of risk priority then compliance committee, senior leadership and board when
necessary
• OIG calls for written evaluation to be presented to CEO, governing body, committee annually
Non-retaliation in compliance - what is important to state in this policy:
For any reporting method to be effective, employees must accept that there will be no retaliation
or retribution for coming forward.
The concept of non-retaliation is fundamental to the compliance program, and a clearly stated
policy regarding non-retribution is the first step.
• anonymous reporting and,
• no retaliation or retribution for bringing forth problems/concerns
Place to start with Enforcement is:
Standards of conduct and P&Ps
For Enforcement and Disciplinary Actions, Policies should include:
1. non-compliant consequences
2. employees duty to report non-compliance
3. list parties responsible for appropriate action
4. outline of disciplinary actions or procedures
5. promise that discipline will be fair and consistent
New Employee Policy - three checks OIG recommends to do/perform:
OIG recommends: perform background checks, reference checks, and exclusion list checks
Which two main documents become tools to build compliance program?
Code of Conduct and P&Ps
You are the new Compliance Officer, hired after ABC Hospital reorganized and decided that the
General Counsel should no longer also serve in that role. Upon review of the Code of Conduct
(CoC), you find that it is written using lots of legal jargon. What action do you take:
a. Keep CoC as it is.
b. Pull a sample off the internet and insert hospital name to save time as it was most likely
written by experts.
c. Rewrite the CoC in plain and concise language tailored to the hospital so employees can use a
,general guidance.
d. Rewrite the CoC with detailed restating hospital's P&Ps, and all laws and regulations possible
so that employees can't say they were not aware of requirements.
c. Rewrite the CoC in plain and concise language tailored to the hospital so employees can use a
general guidance.
Explanation:
• CoC should be clear and concise language easy to understand, and should be tailored to specific
issues of the organization
What is the term called for an organization's commitment to compliance by the board,
management, and employees? It summarizes ethical behavior and legal principles the healthcare
organization operates.
A) Code of Conduct
B) Federal Sentencing Guidelines
C) Internal Controls
A) Code of Conduct
The U.S. Federal Sentencing Commission was organized in _____, published its initial set of
guidelines manual in _____ (known today as the US Sentencing Guidelines), and included
chapter eight of the Federal Sentencing Guidelines for Organizations in _____.
a. 1980, 1987, 1999
b. 1985, 1987, 1991
c. 1980, 1985, 1987
d. 1985, 1990, 2001
b. 1985, 1987, 1991
The US Sentencing Guidelines (USSG) can be found here: https://www.ussc.gov/guidelines.
Chapter 8 - Sentencing of organizations, includes Parts A-F (Part B 2.b.1 outlines the
Compliance and Ethics Program)
Expectations have evolved since 1991 when the US Sentencing Guidelines (USSG) were first
drafted highlighting the importance of an effective compliance program (and as a condition of
probation) to help detect criminal conduct (USSG chapter 8B2.1). DOJ has now set higher
expectations for organizations to not only have a designated compliance officer but a well
designed compliance program that is adequately resourced with independent authority function
to work in practice. Which of the following guidelines outlines those expectations:
a. HHS OIG - CPG (Compliance Program Guidance)
b. DOJ ECCP (Evaluation of Corporate Compliance Programs)
, c. Monaco Memo
d. HHS OIG - CIA (Corporate Integrity Agreement)
b. DOJ ECCP (Evaluation of Corporate Compliance Programs)
The ECCP and other related guidance can be downloaded here:
https://www.justice.gov/criminal/criminal-fraud/policy-materials
The most updated DOJ ECCP (Evaluation of Corporate Compliance Programs) provides
additional guidance to prosecutors. Which of the following are included in the ECCP revisions
(Sep 2024)?
a. expects company's compliance program to include safeguards to better monitor and manage
potential compliance risk regarding new technologies (e.g., A.I.)
b. expects company's to integrate these new technology related risks into broader enterprise risk
management (ERM) strategies
c. expands on post-acquisition compliance integration and use of data for compliance purposes
d. all of the above
d. all of the above
The privacy officer for a hospital has updated the Notice of Privacy Practices/NPP to reflect a
material change because the previous notice did not have a description that individuals have the
right to amend their Protected Health Information. The 3rd party review team identified that the
notice did not have the required information to let individuals know of their right to amend PHI.
What's the BEST course of action to correct deficiency?
A. Make arrangements to mail the new NPP to all patients seen within the last year at the
hospital
B. Make arrangements to have the new NPP distributed to new patients that come to the hospital
C. Post a copy of the new NPP on the hospital's internal intranet so that all employees can see the
updated version of the notice
D. Meet with legal to discuss how to best self-disclose to OCR that the hospital was in violation
of the NPP requirements and has since corrected the deficiency
B. Make arrangements to have the new NPP distributed to new patients that come to the hospital
Remember: The NPP must describe the following individual rights:
https://www.law.cornell.edu/cfr/text/45/164.520
• The right to request restrictions on uses or disclosures of PHI for treatment, payment or
healthcare operations; for use in a facility directory (if applicable); or to family members and
others involved in the patient's care; however, the provider is not required to agree to the
restriction except in the case of a disclosure to a health insurer if the individual has paid for the
care as required by
§164.522(a)(1)(vi). This is a change necessitated by the Omnibus Rule.
